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SION AISTORY 
This section shows the current revision of this document. 


Security Authorization 
Version Date Final sign-off 
Numbert | Completed completed on 
1.0 2020-04-03 | COVID 19 - Contact tracking desktop 

application Valid 2020-04-03 thru 2020-10-03 


1.2 2020-04-16 | CANArrive Mobile Application Release 1 Valid 
2020-04-17 thru 2020-10-17 


1.1 2020-04-07 | COVID 19 - Contact tracking Mobile 
Application Beta - Valid 2020-04-07 thru 
2020-04-17 


“important: Any change in the list of the Service Assets listed in section 4.4 is considered a major revision (eg going from 
2.3 to 3.0), while any change in the s ity rating summary of the same section, without addition or removal of Service 
Assets is considered a minor revision (es going from 2.3 to 2.4) 
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IGNAT 


This SMCM Security Authorization (SA) has been developed and produced in accordance 
with ISTB’s Service Life Cycle Management Framework, Baseline 3. 


Approvals - Security Authorization 


I have completed the review of the key evidence supporting this security authorization, 
including the summary of security risks in Section 2. 


Iam granting/re-granting this information system an Interim Authorization to Operate and, in 
so doing, I accept the security risk to the business associated with running that system within 
the current operational context. 

The security authorization of the information system will remain in effect as long as it satisfies 
the requirement for continuous monitoring or that it is revoked by the authorizers. 


Business owner: John Ommanney, Director General, Travellers Programs 


Conditions: Digital Signature /Date 


Service Owner: Cameron MacDonald, Director General, Business Application Services 


Conditions: Digital Signature /Date 


Cameron MacDonald 2020-04-16 


CBSA Chief Technology Officer: Daniel Tremblay, CTO and Director General, Enterprise Services 


Conditions: Digital Signature /Date 


Chief Security Officer: Pierre Lessard, Chief Security Officer (CSO 
Conditions: Digital Signature /Date 


Signature numérique de 
LESSARD LESSARD PIERRE 


Date: 2020.04.16 16:31:28 
PIERRE 0400 
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tion 1 | 
The Security Authorization (SA) document conveys the final security authorization decision 
from the authorizing officials to grant an “Authorization to Operate - ATO” and, in so doing, 


accepts the risk to the business associated with running that system within the current 
operational context. 


ION (SA) CONTENT 


The explicit acceptance of risk is the responsibility of the authorizing officials and cannot be 
delegated to other officials within the organization. For all SA, the authorizing officials 
include, as a minimum: 
I. The IT-Enabled Service Business Owner 
I]. The IT-Enabled Service Owner 
III]. The Departmental Security Officer 


The authorizer may issue an ATO, with or without conditions, or issue a denial of 
Authorization to Operate. The decision will be based on several factors, most importantly the 
acceptability of the residual risks and the nature of outstanding security deficiencies. 
Balancing security considerations with mission and operational needs is paramount to 
achieving an acceptable authorization decision. 


Authorization is a state that an information system is in during the operations and 
maintenance phase of its lifecycle. It is not a condition that expires after a period of time and 
that needs to be renewed. The SA is an ongoing process. Once in operation, an information 
system is subjected to continuous security monitoring and assessment by the responsible IT 
security group. 


The terms and conditions forthe authorization provide a description of any specific 
limitations or restrictions placed on the operation of the information system or inherited 
controls that must be followed by the system owner or common control provider. 


2m 


rization in the context of 


The SLMF has established the concept of “IT-Enabled Services” as the unit of management of 
service assets such as software applications. The decision to grant a SA is also performed at 
the IT-Enabled Service level. 


The security posture a service is the sum of the security risks of its primary assets. 


Important: The SA does not pertain to a “Solution”, which typically integrates multiple IT- 
Enabled Services. Each Service must have its own SA. The security posture of a “Solution” is 
the sum of the security posture for all the services that are integrated by the solution. 
Acceptance of the security posture ofa “Solution” is a Programs function, which is not in 
scope of the present SA. 


Although a release typically pertains to assets ofa single service, a release may also impact 
the security posture of multiple services. In these situations, that release may require more 
than one SA. By the same token, a release may pertain to a single service but affect multiple 
primary assets, in this case it would only require a unique SA. 
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ATION PACKAGE 


.i Authorization Package - Summary of Secur 


The Authorization Package is the sum ofthe work products supporting the Security 
Authorization. This will normally include all the SLMF work products pertaining to the 
Primary Assets of the IT-Enabled Service. 


The assessment of security controls for each Service Assets is completed as a distinct work 
product, either as part of a Service Release or a Service Baseline Security Assessments. 


The details of the determination of the Security Risks Level are subject to a distinct Security 
Assessment Report. Only a summary is presented here. 


Asset Last Assessment | Baseline Security Risk Evolution 
Date Assessment Level of Security 
Completed Posture 


Covid-19 Contact 2020-04-03 N N/A 

Tracking Desktop 

Application 
Covid-19 Contact 2020-04-15 
Tracking Mobile App 


2.2 Authorization Package - Tracking by Releases 


Each Service Assets impacting the security posture of a Service is normally security-assessed 
as part of a Release. The table below provides information as to which version of the SA is 
associated with a specific Release, where it will support the ORR SMC Review. 


2.2.1 Covid-19 Contact Tracking Desktop Application - 2020-04-03 


This application has a level of assessed risk, for which the target level of acceptable 
residual risk is Low. This Interim Security Authorization provides an interim authority to 
Operate with an expiry date of October 3™, 2020, to process information up to and including 
Protected B service delivery information with availability 
commencing immediately following approval of this document with the following 
conditions: 


1. 
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2.2.2 CANArrive Mobile Application Release 1 ~ 2020-04-16 


This application has a level of assessed risk, for which the target level of acceptable 
residual risk : This Interim Security Authorization provides an interim authority to 
operate for release 1 with an expiry date of October 17“ 2020 (6 months), to process 
information up to and including Protected B service delivery information with 

availability commencing immediately following approval of this 
document with the following conditions: 


1. 
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This section shows the current revision of this document. 


Security Authorization 
Version Date Final sign-off 
Number | Completed 4 on 
2020-04-03 | COVID 19 - Contact tracking desktop 
application Valid 2020-04-03 thru 2020-10- ni 


ArriveCan Mobile Application Release 1 
Valid 2020-04-17 thru 2020-10-17 
Valid 2020-07-14 thru 2021-01-14 

ArriveCan v2.19 - Proof of Vaccine Lt 
Valid 2021-07-05 thru 2022-07-05 


important: Any change in the list of the Service Assets listed in section 4.1 is considered a major revision (eg going from 
2,3 te 3.0), while any change in the security rating summary of the same section, without addition or removal of Service 
Assets is considered a minor revision {es going from 2.3 te 2.4) 
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IGNAT 


This SMCM Security Authorization (SA) has been developed and produced in accordance 
with ISTB’s Service Life Cycle Management Framework, Baseline 3. 


Approvals - Security Authorization 


I have completed the review of the key evidence supporting this security authorization, 
including the summary of security risks in Section 2. 


I am granting/re-granting this information system an Interim Authorization to Operate and, in 
so doing, I accept the security risk to the business associated with running that system within 
the current operational context. 

The security authorization of the information system will remain in effectas long as it satisfies 
the requirement for continuous monitoring or that it is revoked by the authorizers. 


Service Owner: Antonio Utano, a/Director General, Border Technologies Innovation 
Conditions: Digital Signature /Date 


Digitally signed by UTANO 
UTANO ANTONIO 


Date: 2021.07.04 12:32:42 
ANTONIO 400 


CBSA Chief Technology Officer: Daniel Tremblay, CTO and Director General, IT Solutions and 
Operations 
Conditions: Digital Signature /Date 


| ORBI Digita ane by R 
Date: 2021.07. 16: 
ANDREW i t : 1.07.02 16:16:44 


Cyber Security: Gino Lechasseur, Director General, Enterprise Collaboration and Digital 
Services 
Conditions: Digital Signature /Date 
LECHASSEUR Signature numérique de 
LECHASSEUR GINO 
G | N O Date.: 2021.06.30 16:45:46 
-04'00' 
Chief Security Officer: Pierre Lessard, CSO and Director General Security and Professional 


Standards 
Conditions: Digital Signature /Date 


Signature numérique de 
LESSARD LESSARD PIERRE 


Date.: 2021.07.02 17:04:13 
PIERRE eres 
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tion 1 | 
The Security Authorization (SA) document conveys the final security authorization decision 
from the authorizing officials to grant an “Authorization to Operate - ATO” and, in so doing, 


accepts the risk to the business associated with running that system within the current 
operational context. 


10N (SA) CONTENT 


The explicit acceptance of risk is the responsibility of the authorizing officials and cannot be 
delegated to other officials within the organization. For all SA, the authorizing officials 
include, as a minimum: 
I. The IT-Enabled Service Business Owner 
I]. The IT-Enabled Service Owner 
III]. The Departmental Security Officer 


The authorizer may issue an ATO, with or without conditions, or issue a denial of 
Authorization to Operate. The decision will be based on several factors, most importantly the 
acceptability of the residual risks and the nature of outstanding security deficiencies. 
Balancing security considerations with mission and operational needs is paramount to 
achieving an acceptable authorization decision. 


Authorization is a state that an information system is in during the operations and 
maintenance phase of its lifecycle. It is not a condition that expires after a period of time and 
that needs to be renewed. The SA is an ongoing process. Once in operation, an information 
system is subjected to continuous security monitoring and assessment bythe responsible IT 
security group. 


The terms and conditions forthe authorization provide a description of any specific 
limitations or restrictions placed on the operation of the information system or inherited 
controls that must be followed by the system owner or common control provider. 


2m 


rization in the context of 


The SLMF has established the concept of “IT-Enabled Services” as the unit of management of 
service assets such as software applications. The decision to grant a SA is also performed at 
the IT-Enabled Service level. 


The security posture a service is the sum of the security risks of its primary assets. 


Important: The SA does not pertain to a “Solution”, which typically integrates multiple IT- 
Enabled Services. Each Service must have its own SA. The security posture of a “Solution” is 
the sum of the security posture for all the services that are integrated by the solution. 
Acceptance of the security posture ofa “Solution” is a Programs function, which is not in 
scope of the present SA. 


Although a release typically pertains to assets ofa single service, a release may also impact 
the security posture of multiple services. In these situations, that release may require more 
than one SA. By the same token, a release may pertain to a single service but affect multiple 
primary assets, in this case it would only require a unique SA. 
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ti 


RIZATION PACKAGE 


| 
2.1 ArriveCanv2.1i roof of Vaccine (PVC) 


This application has a level of assessed risk, for which the target level of acceptable 
residual risk This Interim Security Authorization provides an interim authority to 
Operate with an expiry date of July 4%, 2022, to process information up to and including 
Protected B service delivery information with availability 
commencing immediately following approval of this document with the following 
conditions: 


1. The Security Management Action Plan (SMAP) form is completed and the form is signed 
off within 30 business days of go live. 


2. The commitments made through the SMAP process are met based on timelines specified 
in the SMAP. 


S Summary of Se 


The Authorization Package is the sum of the work products supporting the Security 
Authorization. This will normally include all the SLMF work products pertaining to the 
Primary Assets of the IT-Enabled Service. 


The assessment of security controls for each Service Assets is completed as a distinct work 
product, either as part of a Service Release or a Service Baseline Security Assessments. 


The details of the determination of the Security Risks Level are subject to a distinct Security 
Assessment Report. Only asummary is presented here. 


Asset Last Assessment | Baseline Security Risk Evolution 
Date Assessment Level of Security 
_ pleted LS 


PHAC Contact Tracking 2020-04-03 

Desktop Application 

ArriveCan Contact 2021-06-30 KR 
Tracking Mobile App 

and Backend 
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racking by Releases 


Each Service Assets impacting the security posture of a Service is normally security-assessed 
as part of a Release. The table below provides information as to which version of the SA is 
associated with a specific Release, where it will support the ORR SMC Review. 


Each Service Assets impacting the security posture of a Service is normally security-assessed 
as part of a Release. The table below provides information as to which version of the SA is 
associated with a specific Release, where it will support the ORR SEMC Review. 

Border Operations Service-BOS 


Release? Service Asset(s) | Type ofsecurity work Security | Resulting 
impacted product completed Impacts | version 
product of SA 


ArriveCan ArriveCan Final Security 2021-06-30 
V2.19 PVC Contact Assessment Report 

Tracking (FSAR), Security 

Mobile App Management Action 

and Backend Plan (SMAP 


ArriveCan ArriveCan FSAR, SMAP 2020-07-13 
v2 Contact 

Tracking 

Mobile App 

and Backend 


ArriveCan ArriveCan FSAR, SMAP 2020-04-16 
vi Contact 

Tracking 

Mobile App 

and Backend 


PHAC Interim Interim Security 2020-04-03 
Desktop Security Authorization (ISA) 
Authorization 


2 important: Unless otherwise specified, Maintenance Releases [MR] are not included in the tracking. Maintenance 
Releases have, by definition, low security impact and are reviewed through a separate process. Where a MR is considered 
to have a potential impact on the security posture of a Service, it may be included here, as an exception, and be subject to a 
Security Authorization. 
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VISION HISTOR 


This section shows the current revision of this document. 


Security Authorization 
Version Date Final sign-off 
Numbert | Completed a on 
1.0 2020-04-03 | COVID 19 - Contact tracking desktop 
application Valid 2020-04-03 thru 2020-10- Al 
1.1 2020-04-16 | ArriveCan Mobile Application Release 1 2020-06-16 
Valid 2020-04-17 thru 2020-10-17 


Valid 2020-07-14 thru 2021-01-14 

ArriveCan v2.19 - Proof of Vaccine 
Valid 2021-07-05 thru 2022-07-05 
Valid 2021-10-18 thru 2022-10-18 


important Any change in the list of the Service Assets listed in section 44 is considered a mi ajor revision {eg going from 
2.3 to 3.0), while any change in the security rating summary of the same section, without addition or removal of Service 
Assets is considered a minor revision (es. going from 2.3 ta 24) 
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IGNAT 


This SMCM Security Authorization (SA) has been developed and produced in accordance 
with ISTB’s Service Life Cycle Management Framework, Baseline 3. 


Approvals - Security Authorization 


I have completed the review of the key evidence supporting this security authorization, 
including the summary of security risks in Section 2. 


I am granting/re-granting this information system an Interim Authorization to Operate and, in 
so doing, I accept the security risk to the business associated with running that system within 
the current operational context. 

The security authorization of the information system will remain in effectas long as it satisfies 
the requirement for continuous monitoring or that it is revoked by the authorizers. 


Service Owner: Antonio Utano, a/Director General, Border Technologies Innovation 
Conditions: Digital Signature /Date 


Digitally signed by UTANO 


UTANO ANTONIO antonio 


Date: 2021.11.03 12:53:49 -04'00' 


CBSA Chief Technology Officer: Daniel Tremblay, CTO and Director General, IT Solutions and 
Operations 
Conditions: Digital Signature /Date 


Digitally signed by TREMBLAY DANIEL 


his ISA represents a platform that has not yet Digitally signed by TREMBLA\ 
operationally transitioned to ITSO; when it does, a l R E M B L AY OU=PERSONNEL, CN-TREMBLAY DANIEL + 
re-evaluation of its risk posture will be required. SERIALNUMBER=2015145231 123057 
Reason. | am the author of this document 


Location: your signing location here 
Date: 2021-10-25 20:42:50 


Foxit PhantomPDF Version: 10.0.1 


Cyber Security: Gino Lechasseur, Director General, Enterprise Collaboration and Digital 
Services 
Conditions: Digital Signature /Date 


Signature numérique de 
LECHASSEUR LECHASSEUR GINO 
GINO or acai 12:20:09 


Chief Security Officer: Pierre Lessard, CSO and Director General, Security and Professional 
Standards 
Conditions: Digital Signature /Date 


Digitally signed by LESSARD 


LESSARD PIERRE Pierre 


Date: 2021.10.25 07:29:21 -04'00' 
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tion 1 | 
The Security Authorization (SA) document conveys the final security authorization decision 
from the authorizing officials to grant an “Authorization to Operate - ATO” and, in so doing, 


accepts the risk to the business associated with running that system within the current 
operational context. 


The explicit acceptance of risk is the responsibility of the authorizing officials and cannot be 
delegated to other officials within the organization. For all SA, the authorizing officials 
include, as a minimum: 
I. The IT-Enabled Service Business Owner 
I]. The IT-Enabled Service Owner 
III]. The Departmental Security Officer 


The authorizer may issue an ATO, with or without conditions, or issue a denial of 
Authorization to Operate. The decision will be based on several factors, most importantly the 
acceptability of the residual risks and the nature of outstanding security deficiencies. 
Balancing security considerations with mission and operational needs is paramount to 
achieving an acceptable authorization decision. 


Authorization is a state that an information system is in during the operations and 
maintenance phase of its lifecycle. It is not a condition that expires after a period of time and 
that needs to be renewed. The SA is an ongoing process. Once in operation, an information 
system is subjected to continuous security monitoring and assessment by the responsible IT 
security group. 


The terms and conditions forthe authorization provide a description of any specific 
limitations or restrictions placed on the operation of the information system or inherited 
controls that must be followed by the system owner or common control provider. 


the context of 


The SLMF has established the concept of “IT-Enabled Services” as the unit of management of 
service assets such as software applications. The decision to grant a SA is also performed at 
the IT-Enabled Service level. 


The security posture a service is the sum of the security risks of its primary assets. 


Important: The SA does not pertain to a “Solution”, which typically integrates multiple IT- 
Enabled Services. Each Service must have its own SA. The security posture of a “Solution” is 
the sum of the security posture for all the services that are integrated by the solution. 
Acceptance of the security posture ofa “Solution” is a Programs function, which is not in 
scope of the present SA. 


Although a release typically pertains to assets of a single service, a release may also impact 

the security posture of multiple services. In these situations, that release may require more 
than one SA. By the same token, a release may pertain to a single service but affect multiple 
primary assets, in this case it would only require a unique SA. 
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ti 


ZATION PACKAGE 


| 
2.1 ArviveCan v2.22 - 


This application has a level of assessed risk, for which the target level of acceptable 
residual risk (his Interim Security Authorization provides an interim authority to 
Operate with an expiry date of Oct 18%, 2022, to process information up to and including 
Protected B service delivery information with availability 
commencing immediately following approval of this document with the following 
conditions: 


1. The Security Management Action Plan (SMAP) form is completed and the form is signed 
off within 30 business days of go live. 


2. The commitments made through the SMAP process are met based on timelines specified 
in the SMAP. 


The Authorization Package is the sum ofthe work products supporting the Security 
Authorization. This will normally include all the SLMF work products pertaining to the 
Primary Assets of the IT-Enabled Service. 


The assessment of security controls for each Service Assets is completed as a distinct work 
product, either as part of a Service Release or a Service Baseline Security Assessments. 


The details of the determination of the Security Risks Level are subject to a distinct Security 
Assessment Report. Only a summary is presented here. 


Asset Last Assessment | Baseline Security Risk Evolution 
Date Assessment Level of Security 
Completed Posture 
PHAC Contact Tracking 2020-04-03 N N/A 
Desktop Application 


improved 


ArriveCan Contact 2021-06-30 Y 
Tracking Mobile App 
and Backend 
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racking by Releases 


Each Service Assets impacting the security posture of a Service is normally security-assessed 
as part of a Release. The table below provides information as to which version of the SA is 
associated with a specific Release, where it will support the ORR SMC Review. 


Each Service Assets impacting the security posture of a Service is normally security-assessed 
as part of a Release. The table below provides information as to which version of the SA is 
associated with a specific Release, where it will support the ORR SEMC Review. 


Border Operations Service-BOS 
Security 
Impacts 


Release? Service Asset(s) | Type ofsecurity work Resulting 
version 
2021-10-18 


of SA 


impacted product completed 
product 


Final Security 
Assessment Report 


ArriveCan 
Contact 


ArriveCan 
V2.22 


Tracking 
Mobile App 
and Backend 


(FSAR), Security 
Management Action 
Plan (SMAP 


ArriveCan 
Contact 
Tracking 
Mobile App 
and Backend 


ArriveCan ArriveCan 

v2 Contact 
Tracking 
Mobile App 
and Backend 


ArriveCan ArriveCan 

vi Contact 
Tracking 
Mobile App 
and Backend 


PHAC Interim 
Desktop Security 
Authorization 


ArriveCan 
V2.19 PVC 


FSAR, SMAP 2021-06-30 


FSAR, SMAP 2020-07-13 
FSAR, SMAP 2020-04-16 


Interim Security 2020-04-03 


Authorization (ISA) 


2 important: Unless otherwise specified, Maintenance Releases {MR are not included in the tracking. Maintenance 
Releases have, by definition, low security impact and are reviewed through a separate process. Where a MR is considered 
to have a potential impact on the security posture of a Service, it may be included here, as an exception, and be subject to a 
Security Authorization. 
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SION ASTOR 
This section shows the current revision of this document. 


Security Authorization 
Version Date Final sign-off 
Numbert | Completed completed on 
1.0 2020-04-03 | COVID 19 - Contact tracking desktop 
application Valid 2020-04-03 thru 2020-10-03 
1.1 2020-04-16 | ArriveCan Mobile Application Release 1 2020-06-16 
Valid 2020-04-17 thru 2020-10-17 


Valid 2020-07-14 thru 2021-01-14 

ArriveCan v2.19 - Proof of Vaccine 
Valid 2021-07-05 thru 2022-07-05 
Valid 2021-10-18 thru 2022-10-18 

Lo 


2021-10-27 | R1867 - Mandatory Random Testing (MRT) 


“important: Any change in the list of the Service Assets listed in section 44 is considered a major revision {eg going from 
2.3 to 3.0), while any change in the security rating summary of the same section, without addition or removal of Service 
Assets is considered a minor revision (es. going from 2.3 ta 24) 
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IGNAT 


This SMCM Security Authorization (SA) has been developed and produced in accordance 
with ISTB’s Service Life Cycle Management Framework, Baseline 3. 


Approvals - Security Authorization 


I have completed the review of the key evidence supporting this security authorization, 
including the summary of security risks in Section 2. 


I am granting/re-granting this information system an Interim Authorization to Operate and, in 
so doing, I accept the security risk to the business associated with running that system within 
the current operational context. 

The security authorization of the information system will remain in effectas long as it satisfies 
the requirement for continuous monitoring or that it is revoked by the authorizers. 

Program Owner: Calvin Christiansen, Director General, COVID - 19 Border Task Force 


Conditions: Digital Signature /Date 


CHRISTIANSEN Digitally signed by 


CHRISTIANSEN CALVIN 


CALVIN Date: 2021.11.08 08:29:36 -05'00' 


Service Owner: Carol Sabourin, Executive Director, Project and Service Management 
Oversight 
Conditions: Digital Signature /Date 


Digitally signed by 
SABOU RI N SABOURIN CAROL 


Date: 2021.11.08 09:42:34 
CA RO L -05'00' 


CBSA Chief Technology Officer: Dave Beach, Executive Director, IT Operations 
Conditions: Digital Signature /Date 


Digitally signed by BEACH 
BEACH DAVE SE 
Date: 2021.11.03 19:41:21 
-04'00' 
Cyber Security: Steven Proulx, Director, Cyber Security and IT Continuit 
Conditions: Digital Signature /Date 


i f N . . : : 


Chief Security Officer: Matthew Kletke, Director, Infrastructure and Information Securi 
Conditions: Digital Signature /Date 


Digitally signed by KLETKE 


KLETKE MATTHEW MATTHEW 


Date: 2021.10.28 08:04:26 -04'00' 
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The Security Authorization (SA) document conveys the final security authorization decision 
from the authorizing officials to grant an “Authorization to Operate - ATO” and, in so doing, 


accepts the risk to the business associated with running that system within the current 
operational context. 


The explicit acceptance of risk is the responsibility of the authorizing officials and cannot be 
delegated to other officials within the organization. For all SA, the authorizing officials 
include, as a minimum: 
I. The IT-Enabled Service Business Owner 
I]. The IT-Enabled Service Owner 
III]. The Departmental Security Officer 


The authorizer may issue an ATO, with or without conditions, or issue a denial of 
Authorization to Operate. The decision will be based on several factors, most importantly the 
acceptability of the residual risks and the nature of outstanding security deficiencies. 
Balancing security considerations with mission and operational needs is paramount to 
achieving an acceptable authorization decision. 


Authorization is a state that an information system is in during the operations and 
maintenance phase of its lifecycle. It is not a condition that expires after a period of time and 
that needs to be renewed. The SA is an ongoing process. Once in operation, an information 
system is subjected to continuous security monitoring and assessment by the responsible IT 
security group. 


The terms and conditions forthe authorization provide a description of any specific 
limitations or restrictions placed on the operation of the information system or inherited 
controls that must be followed by the system owner or common control provider. 


the context of 


The SLMF has established the concept of “IT-Enabled Services” as the unit of management of 
service assets such as software applications. The decision to grant a SA is also performed at 
the IT-Enabled Service level. 


The security posture a service is the sum of the security risks of its primary assets. 


Important: The SA does not pertain to a “Solution”, which typically integrates multiple IT- 
Enabled Services. Each Service must have its own SA. The security posture of a “Solution” is 
the sum of the security posture for all the services that are integrated by the solution. 
Acceptance of the security posture ofa “Solution” is a Programs function, which is not in 
scope of the present SA. 


Although a release typically pertains to assets of a single service, a release may also impact 

the security posture of multiple services. In these situations, that release may require more 
than one SA. By the same token, a release may pertain to a single service but affect multiple 
primary assets, in this case it would only require a unique SA. 
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RIZATION PACKAGE 


andatory Random Testing 
This application has a level of assessed risk, for which the target level of acceptable 
residual risk This Security Authorization provides an Authority to Operate (ATO), to 


process information up to and including Unclassified service delivery information with 
availability commencing immediately following approval of this 


document. 


- Summary of Se 


The Authorization Package is the sum of the work products supporting the Security 
Authorization. This will normally include all the SLMF work products pertaining to the 
Primary Assets of the IT-Enabled Service. 


The assessment of security controls for each Service Assets is completed as a distinct work 
product, either as part of a Service Release or a Service Baseline Security Assessments. 


The details of the determination of the Security Risks Level are subject to a distinct Security 
Assessment Report. Only asummary is presented here. 


Asset Last Assessment | Baseline Security Risk Evolution 

Date Assessment Level of Security 

DE pleted Posture 
PHAC Contact Tracking | 2020-04-03 
Desktop Application 


ArriveCan Contact 2021-06-30 Improved 
Tracking Mobile App 
and Backend 
Testing (MRT 


2.3 Authorization Package - Tracking by Releases 


Each Service Assets impacting the security posture of a Service is normally security-assessed 
as part of a Release. The table below provides information as to which version of the SA is 
associated with a specific Release, where it will support the ORR SMC Review. 


Each Service Assets impacting the security posture of a Service is normally security-assessed 


as part of a Release. The table below provides information as to which version of the SA is 
associated with a specific Release, where it will support the ORR SEMC Review. 
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COVID-19 Contract Tracking applications 


Security | Resulting 


Release? Service Asset(s) | Type of security work 
impacted product completed 
product 


R1867 MRT 


ArriveCan 
V2.22 


ArriveCan 
Contact 
Tracking 
Mobile App 
and Backend 
ArriveCan 
Contact 
Tracking 


ArriveCan 
V2.19 PVC 


Mobile App 
and Backend 


ArriveCan ArriveCan 

v2 Contact 
Tracking 
Mobile App 
and Backend 


ArriveCan ArriveCan 

vi Contact 
Tracking 
Mobile App 
and Backend 


PHAC Interim 
Desktop Security 
Authorization 


Final Security 2021-10-18 


Assessment Report 
FSAR), 

FSAR, Security 

Management Action 
Plan (SMAP) 


FSAR, SMAP 2021-06-30 
FSAR, SMAP 2020-07-13 
FSAR, SMAP 2020-04-16 


Interim Security 2020-04-03 
Authorization (ISA) 


2021-10-18 


version 
of SA 


Impacts 


2 important: Unless otherwise specified, Maintenance Releases {MR are not included in the tracking. Maintenance 
Releases have, by definition, low security impact and are reviewed through a separate process. Where a MR is considered 
to have a potential impact on the security posture of a Service, it may be included here, as an exception, and be subject to a 


Security Authorization. 
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CANADA BORDER SERVICES AGENCY 
INFORMATION, SCIENCE AND TECHNOLOGY 
BRANCH 


Service Life Cycle Management 
Framework (SLMF) 
Baseline 3 


Security Management Control 
Method (SMCM) 


Interim Security 
Authorization (ISA) 
for 

COVID-19 CONTACT TRACKING 
VALI 
20: 


VERSION: 1.6 
Date: 2021-11-25 


n Act 
l'inf 


formation 
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SION ASTOR 
This section shows the current revision of this document. 


Security Authorization 
Version Date Final sign-off 
Numbert | Completed completed on 
1.0 2020-04-03 | COVID 19 - Contact tracking desktop 

application Valid 2020-04-03 thru 2020-10-03 
1.1 2020-04-16 | ArriveCan Mobile Application Release 1 

Valid 2020-04-17 thru 2020-10-17 
1.2 2020-07-13 | ArriveCan Release 2 

Valid 2020-07-14 thru 2021-01-14 


ArriveCan v2.19 - Proof of Vaccine 
Valid 2021-07-05 thru 2022-07-05 
ArriveCan v2.22 - BSO 
Valid 2021-10-18 thru 2022-10-18 
En 


1.5 2021-10-27 | R1867 - Mandatory Random Testing (MRT) 2021-11-08 
6 


1. 2021-11-25 | BSO Mobile Lite 
Valid 2021-11-26 thru 2022-11-26 


“important: Any change in the list of the Service Assets listed in section 44 is considered a major revision {eg going from 
2.3 to 3.0), while any change in the security rating summary of the same section, without addition or removal of Service 
Assets is considered a minor revision (es. going from 2.3 ta 24) 
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IGNAT 


This SMCM Security Authorization (SA) has been developed and produced in accordance 
with ISTB’s Service Life Cycle Management Framework, Baseline 3. 


Approvals - Security Authorization 


I have completed the review of the key evidence supporting this security authorization, 
including the summary of security risks in Section 2. 


I am granting/re-granting this information system an Interim Authorization to Operate and, in 
so doing, I accept the security risk to the business associated with running that system within 
the current operational context. 

The security authorization of the information system will remain in effectas long as it satisfies 
the requirement for continuous monitoring or that it is revoked by the authorizers. 


Program Owner: Calvin Christiansen, Director General, COVID-19 Border Task Force 


Conditions: Digital Signature /Date —— : 
Digitally signed by Sharon Spicer 


S h a ro n DN: CN=Sharon Spicer, 
E=sharon.spicer@cbsa-asfc.gc.ca 
Reason: | am approving this document 
Location: your signing location here 


S pice r Date: 2021-12-16 22:01:25 


Foxit PhantomPDF Version: 10.0.1 


Service Owner: Antonio Utano, a/Director General, Border Technologies Innovation 


Conditions: Digital Signature /Date 


TE E D è 1. 1. : . 


CBSA ChiefTechnology Officer: Daniel Tremblay, Director General, IT Solutions and 
Operations 


understand and acknowledge that the Agency has Migi i 74 Digitally signed by TREMBLAY DANIEL 
determined the business benefit represented by this j M | DN: Cva, O=gc, OU=ccra-adrc, 


service significant enough to warrant the issuance of a Oe NUMMER pois er art 


time-limited SA pending the more comprehensive Reason: | am the author of this document 
implementation of mitigations and safeguards, and | Y D AN | E P Location: your signing location here 

Iwill collaborate with other stakeholders within the RS 10.04 
‘Agency's prioritization framework to accomplish that. 

Cyber Security: Gino Lechasseur, Director General, Enterprise Collaboration and Digital 
Services 

Conditions: Digital Signature /Date 


Signature numérique de 
LECHASS E U R LECHASSEUR GINO 

Date : 2021.11.25 16:57:49 
GINO bate: 


Chief Security Officer: Pierre Lessard, CSO and Director General, Security and Professional 
Standards 
Conditions: Digital Signature /Date 


Digitally signed by LESSARD 


LESSARD PIERRE verre 


Date: 2021.11.26 09:18:53 -05'00' 


Page |2 


CBSA - Released under the Access to Information Act. 
ASFC - Divulgation en vertu de la loi sur l'Accès à l'information 


ISTB SLMF Baseline 3 SMCM - Security Authorization PROTECTED A 


tion 1 | 
The Security Authorization (SA) document conveys the final security authorization decision 
from the authorizing officials to grant an “Authorization to Operate - ATO” and, in so doing, 


accepts the risk to the business associated with running that system within the current 
operational context. 


The explicit acceptance of risk is the responsibility of the authorizing officials and cannot be 
delegated to other officials within the organization. For all SA, the authorizing officials 
include, as a minimum: 
I. The IT-Enabled Service Business Owner 
I]. The IT-Enabled Service Owner 
III]. The Departmental Security Officer 


The authorizer may issue an ATO, with or without conditions, or issue a denial of 
Authorization to Operate. The decision will be based on several factors, most importantly the 
acceptability of the residual risks and the nature of outstanding security deficiencies. 
Balancing security considerations with mission and operational needs is paramount to 
achieving an acceptable authorization decision. 


Authorization is a state that an information system is in during the operations and 
maintenance phase of its lifecycle. It is not a condition that expires after a period of time and 
that needs to be renewed. The SA is an ongoing process. Once in operation, an information 
system is subjected to continuous security monitoring and assessment bythe responsible IT 
security group. 


The terms and conditions forthe authorization provide a description of any specific 
limitations or restrictions placed on the operation of the information system or inherited 
controls that must be followed by the system owner or common control provider. 


The SLMF has established the concept of “IT-Enabled Services” as the unit of management of 
service assets such as software applications. The decision to grant a SA is also performed at 
the IT-Enabled Service level. 


The security posture a service is the sum of the security risks of its primary assets. 


Important: The SA does not pertain to a “Solution”, which typically integrates multiple IT- 
Enabled Services. Each Service must have its own SA. The security posture of a “Solution” is 
the sum of the security posture for all the services that are integrated by the solution. 
Acceptance of the security posture ofa “Solution” is a Programs function, which is not in 
scope of the present SA. 


Although a release typically pertains to assets ofa single service, a release may also impact 
the security posture of multiple services. In these situations, that release may require more 
than one SA. By the same token, a release may pertain to a single service but affect multiple 
primary assets, in this case it would only require a unique SA. 
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This application has a level of assessed risk, for which the target level of acceptable 
residual risk 


This Interim Security Authorization provides an interim authority to Operate with an expiry 
date of November 26, 2022, to process information up to and including Unclassified service 
delivery information with availability commencing 
immediately following approval of this document. 


1. The actions identified in the Security Management Action Plan (SMAP) document are 
addressed following the timelines identified within the SMAP, and evidence of their 
implementation is provided to Cyber Security’s Risk Assessment and Consultation 
team for re-assessment. 


rization Package - $ 


The Authorization Package is the sum of the work products supporting the Security 
Authorization. This will normally include all the SLMF work products pertaining to the 
Primary Assets of the IT-Enabled Service. 


The assessment of security controls for each Service Assets is completed as a distinct work 
product, either as part of a Service Release or a Service Baseline Security Assessments. 


The details of the determination of the Security Risks Level are subject to a distinct Security 
Assessment Report. Only asummary is presented here. 


Baseline Security Risk Evolution 
Assessment Level of Security 
Completed Posture 


PHAC Contact Tracking N/A 
Desktop Application 


ArriveCan Contact Improved 
Tracking Mobile App 
and Backend 


Mandatory Random N/A 


Testing (MRT 


.2 Authorization Package - Tracking by Releases 


Each Service Assets impacting the security posture of a Service is normally security-assessed 
as part of a Release. The table below provides information as to which version of the SA is 
associated with a specific Release, where it will support the ORR SMC Review. 
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Each Service Assets impacting the security posture of a Service is normally security-assessed 
as part of a Release. The table below provides information as to which version of the SA is 
associated with a specific Release, where it will support the ORR SEMC Review. 

COVID-19 Contract Tracking applications 


Release? Service Asset(s) | Type ofsecurity work Security | Resulting 
impacted product completed Impacts | version 
product of SA 


BSO Mobile | BSO Mobile Final Security 2021-11-25 ; 
App Lite Assessment Report 
(FSAR) Security 
Management Action 
Plan (SMAP 
ArriveCan ArriveCan FSAR, SMAP 2021-10-18 f 
V2.22 Contact 
Tracking 
Mobile App 
and Backend 


ArriveCan ArriveCan FSAR, SMAP 2021-06-30 
V2.19 PVC Contact 

Tracking 

Mobile App 

and Backend 
ArriveCan ArriveCan FSAR, SMAP 2020-07-13 
v2 Contact 

Tracking 

Mobile App 

and Backend 
ArriveCan ArriveCan FSAR, SMAP 2020-04-16 
vi Contact 

Tracking 

Mobile App 

and Backend 


PHAC Interim Interim Security 2020-04-03 
Desktop Security Authorization (ISA) 
Authorization 


2 important: Unless otherwise specified, Maintenance Releases {MR are not included in the tracking. Maintenance 
Releases have, by definition, low security impact and are reviewed through a separate process. Where a MR is considered 
to have a potential impact on the security posture of a Service, it may be included here, as an exception, and be subject to a 
Security Authorization. 
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ION HISTOR 


This section shows the current revision of this document. 


Security Authorization 

Version Date Final sign-off 

Number! | Completed aa on 

1.0 2020-04-03 | COVID 19 - Contact tracking desktop 
application Valid 2020-04-03 thru 2020-10- al. 

1.1 2020-04-16 | ArriveCan Mobile Application Release 1 2020-06-16 

Valid 2020-04-17 thru 2020-10-17 

1.2 2020-07-13 | ArriveCan Release 2 2020-07-14 
Valid 2020-07-14 thru 2021-01-14 


Nici rata ArriveCan v2.19 - Proof of Vaccine 
Valid 2021-07-05 thru 2022-07-05 
Valid 2021-10-18 thru 2022-10-18 


1.6 2021-11-25 | BSO Mobile Lite 
Po olen Valid 2021-11-26 thru 2022-11-26 
ll ina = | 
Valid 2021-11-29 thru 2022-05-29 


“important: Any ch: ange in the list of the Service Assets listed in section 4.1 is considered a rn: ajor revision {eg going from 
2.3 to 3.0), while any change in the security rating summary of the same section, without addition or removal of Service 
Assets is considered a minor revision {es going from 2.3 to 2.4) 
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IGNAT 


This SMCM Security Authorization (SA) has been developed and produced in accordance 
with ISTB’s Service Life Cycle Management Framework, Baseline 3. 


Approvals - Security Authorization 


I have completed the review of the key evidence supporting this security authorization, 
including the summary of security risks in Section 2. 


Iam granting/re-granting this information system an Interim Authorization to Operate and, in 
so doing, I accept the security risk to the business associated with running that system within 
the current operational context. 

The security authorization of the information system will remain in effectas long as it satisfies 
the requirement for continuous monitoring or that it is revoked by the authorizers. 


Service Owner: Antonio Utano, a/Director General, Border Technologies Innovation 


Conditions: Digital Signature /Date 


UTAN O Digitally signed by UTANO 


ANTONIO 


ANTONIO Date: 2021.11.29 12:12:09 -05'00' 


CBSA Chief Technology Officer: Daniel Tremblay, Director General, IT Solutions and 
Operations 


| understand and acknowledge that the Agency has | Digital Signature /Date 
pare signed by TREMBLAY DANIEL 


determined the business benefit represented by this Roe A mt de 

service significant enough to warrant the issuance of l R E M B L AY NE CN=TREMBLAY DANIEL + 

a time-limited SA pending the more comprehensive SERIALNUMBER=2015145231123057 
Reason: | am the author of this document 


implementation of mitigations and safeguards, and | D A N | E L cation: your signing location here 
ill collaborate with other stakeholders within the Date: 2021-12-03 10:31:24 
| Foxit PhantomPDF Version: 10.0.1 


Cyber Security: Gino Lechasseur, ‘Director General, Enterprise Collaboration and Digital 
Services 
Conditions: Digital Signature /Date 


Signature numérique de 
LECHASSEUR  ceciasseur GINO 

Date.: 11, 36: 
GINO ne TR 13 


ChiefSecurity Officer: Pierre Lessard, Chief Security Officer and Director General, Security 
and Professional Standards 
Conditions: Digital Signature /Date 


Digitally signed by LESSARD 


LESSARD PIERRE Pree 


Date: 2021.11.30 11:42:49 -05'00' 
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tion 1 | 
The Security Authorization (SA) document conveys the final security authorization decision 
from the authorizing officials to grant an “Authorization to Operate - ATO” and, in so doing, 


accepts the risk to the business associated with running that system within the current 
operational context. 


The explicit acceptance of risk is the responsibility of the authorizing officials and cannot be 
delegated to other officials within the organization. For all SA, the authorizing officials 
include, as a minimum: 
I. The IT-Enabled Service Business Owner 
I]. The IT-Enabled Service Owner 
III]. The Departmental Security Officer 


The authorizer may issue an ATO, with or without conditions, or issue a denial of 
Authorization to Operate. The decision will be based on several factors, most importantly the 
acceptability of the residual risks and the nature of outstanding security deficiencies. 
Balancing security considerations with mission and operational needs is paramount to 
achieving an acceptable authorization decision. 


Authorization is a state that an information system is in during the operations and 
maintenance phase of its lifecycle. It is not a condition that expires after a period of time and 
that needs to be renewed. The SA is an ongoing process. Once in operation, an information 
system is subjected to continuous security monitoring and assessment bythe responsible IT 
security group. 


The terms and conditions forthe authorization provide a description of any specific 
limitations or restrictions placed on the operation of the information system or inherited 
controls that must be followed by the system owner or common control provider. 


The SLMF has established the concept of “IT-Enabled Services” as the unit of management of 
service assets such as software applications. The decision to grant a SA is also performed at 
the IT-Enabled Service level. 


The security posture a service is the sum of the security risks of its primary assets. 


Important: The SA does not pertain to a “Solution”, which typically integrates multiple IT- 
Enabled Services. Each Service must have its own SA. The security posture of a “Solution” is 
the sum of the security posture for all the services that are integrated by the solution. 
Acceptance of the security posture ofa “Solution” is a Programs function, which is not in 
scope of the present SA. 


Although a release typically pertains to assets ofa single service, a release may also impact 
the security posture of multiple services. In these situations, that release may require more 
than one SA. By the same token, a release may pertain to a single service but affect multiple 
primary assets, in this case it would only require a unique SA. 
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ti 


| 
2.1 ArriveCan V2.3 - SAVE 


This application has a level of assessed risk, for which the target level of acceptable 
residual risk i 


THORIZATI C 


This Interim Security Authorization provides an interim authority to Operate with an expiry 
date of May 29, 2022, to process information up to and including Protected B service 
delivery information with availability (PBMM) commencing 
immediately following approval of this document. 


1. The actions identified in the Security Management Action Plan (SMAP) document are 
addressed following the timelines identified within the SMAP, and evidence of their 
implementation is provided to Cyber Security’s Risk Assessment and Consultation 
team for re-assessment. 


rization Package - $ 


The Authorization Package is the sum ofthe work products supporting the Security 
Authorization. This will normally include all the SLMF work products pertaining to the 
Primary Assets of the IT-Enabled Service. 


The assessment of security controls for each Service Assets is completed as a distinct work 
product, either as part of a Service Release or a Service Baseline Security Assessments. 


The details of the determination of the Security Risks Level are subject to a distinct Security 
Assessment Report. Only a summary is presented here. 


Baseline Evolution 
Assessment of Security 
Completed Posture 

PHAC Contact Tracking 

Desktop Application 

ArriveCan Contact 


Tracking Mobile App 
and Backend 


Mandatory Random 
Testing (MRT 


.2 Authorization Package - Tracking by Releases 


Each Service Assets impacting the security posture of a Service is normally security-assessed 
as part of a Release. The table below provides information as to which version of the SA is 
associated with a specific Release, where it will support the ORR SMC Review. 
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Each Service Assets impacting the security posture of a Service is normally security-assessed 
as part of a Release. The table below provides information as to which version of the SA is 
associated with a specific Release, where it will support the ORR SEMC Review. 

COVID-19 Contract Tracking applications 


Release? Service Asset(s) | Type ofsecurity work Security | Resulting 
impacted product completed Impacts | version 
product of SA 


ArriveCan ArriveCan Final Security 2021-11-29 ; 
V2.22 Contact Assessment Report 

Tracking (FSAR) Security 

Mobile App Management Action 

and Backend Plan (SMAP 
App Lite 
ArriveCan ArriveCan FSAR, SMAP 2021-10-18 i 
V2.22 Contact 

Tracking 

Mobile App 

and Backend 


ArriveCan ArriveCan FSAR, SMAP 2021-06-30 
V2.19 PVC Contact 

Tracking 

Mobile App 

and Backend 
ArriveCan ArriveCan FSAR, SMAP 2020-07-13 
v2 Contact 

Tracking 

Mobile App 

and Backend 
ArriveCan ArriveCan FSAR, SMAP 2020-04-16 
vi Contact 

Tracking 

Mobile App 

and Backend 


PHAC Interim Interim Security 2020-04-03 
Desktop Security Authorization (ISA) 
Authorization 


2 important: Unless otherwise specified, Maintenance Releases {MR are not included in the tracking. Maintenance 
Releases have, by definition, low security impact and are reviewed through a separate process. Where a MR is considered 
to have a potential impact on the security posture of a Service, it may be included here, as an exception, and be subject to a 
Security Authorization. 
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ION HISTOR 


This section shows the current revision of this document. 


Security Authorization 
Version Date Final sign-off 
Number! | Completed completed on 
2020-04-03 | COVID 19 - Contact tracing desktop 
application V1 


2020-04-16 | ArriveCan Mobile Application Release 1 2020-06-16 


2020-07-13 | ArriveCan Release 2 2020-07-14 
Valid 2020-07-14 thru 2021-01-14 


1.0 - 
1.1 - - 
1.2 - - 
1.3 2021-06-30 | ArriveCan v2.19 - Proof of Vaccine 2021-07-04 
1.4 - i .22- - 
1.5 - j - 

6 - 


2021-10-18 | ArriveCan v2.22 - BSO 2021-11-03 
2021-10-27 | R1867 - Mandatory Random Testing (MRT) 2021-11-08 


Valid 2021-11-26 thru 2022-11-26 

ArriveCan v2.23 - SAVE 
Valid 2021-11-29 thru 2022-05-29 

ArriveCan v2.23 - Security Uplift ri 
Valid 2021-12-14 thru 2022-12-14 


“important: Any change in the list of the Service Assets listed in section 4.4 is considered a major revision {eg going from 
2.3 to 3.0), while any change in the security rating summary of the same section, without addition or removal of Service 
Assets is considered a minor revision (es. going from 2.3 ta 24) 
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IGNAT 


This SMCM Security Authorization (SA) has been developed and produced in accordance 
with ISTB’s Service Life Cycle Management Framework, Baseline 3. 


Approvals - Security Authorization 


I have completed the review of the key evidence supporting this security authorization, 
including the summary of security risks in Section 2. 


Iam granting/re-granting this information system an Interim Authorization to Operate and, in 
so doing, I accept the security risk to the business associated with running that system within 
the current operational context. 

The security authorization of the information system will remain in effectas long as it satisfies 
the requirement for continuous monitoring or that it is revoked by the authorizers. 


Service Owner: Antonio Utano, a/Director General, Border Technologies Innovation 


Conditions: Digital Signature /Date 
UTAN O Digitally signed by UTANO 
ANTONIO 


Date: 2021.12.15 14:33:45 
ANTONIO 0500 


CBSA Chief Technology Officer: Daniel Tremblay, Director General, IT Solutions and 
Operations 
Conditions: Digital Signature /Date 
Digitally signed by TREMBLAY DANIEL 
TREMBLA EEE 
QU= PERSONNEL, CN=TREMBLAY DANIEL + 
SERIALNUMBER=20151 45231123057 
Reason: | am the author of this document 


Location: your signing location here 
Date: 2021-12-13 06:22:16 


Foxit PhantomPDF Version: 10.0.1 


Cyber Security: Gino Lechasseur, Director General, Enterprise Collaboration and Digital 
Services 


Conditions: Digital Signature /Date 
Signature numérique de 
LECHASSEUR | (eciasseurcino 
Date.: 12. :29: 
GINO re naa 


ChiefSecurity Officer: Pierre Lessard, Chief Security Officer and Director General, Security 
and Professional Standards 
Conditions: Digital Signature /Date 


Digitally signed by LESSARD PIERRE 
LESSAR D PI E R R E Date: 2021 12. 0 16:25:07 -05'00' 
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The Security Authorization (SA) document conveys the final security authorization decision 
from the authorizing officials to grant an “Authorization to Operate - ATO” and, in so doing, 


accepts the risk to the business associated with running that system within the current 
operational context. 


The explicit acceptance of risk is the responsibility of the authorizing officials and cannot be 
delegated to other officials within the organization. For all SA, the authorizing officials 
include, as a minimum: 
I. The IT-Enabled Service Business Owner 
I]. The IT-Enabled Service Owner 
III]. The Departmental Security Officer 


The authorizer may issue an ATO, with or without conditions, or issue a denial of 
Authorization to Operate. The decision will be based on several factors, most importantly the 
acceptability of the residual risks and the nature of outstanding security deficiencies. 
Balancing security considerations with mission and operational needs is paramount to 
achieving an acceptable authorization decision. 


Authorization is a state that an information system is in during the operations and 
maintenance phase of its lifecycle. It is not a condition that expires after a period of time and 
that needs to be renewed. The SA is an ongoing process. Once in operation, an information 
system is subjected to continuous security monitoring and assessment bythe responsible IT 
security group. 


The terms and conditions forthe authorization provide a description of any specific 
limitations or restrictions placed on the operation of the information system or inherited 
controls that must be followed by the system owner or common control provider. 


the context of 


The SLMF has established the concept of “IT-Enabled Services” as the unit of management of 
service assets such as software applications. The decision to grant a SA is also performed at 
the IT-Enabled Service level. 


The security posture a service is the sum of the security risks of its primary assets. 


Important: The SA does not pertain to a “Solution”, which typically integrates multiple IT- 
Enabled Services. Each Service must have its own SA. The security posture of a “Solution” is 
the sum of the security posture for all the services that are integrated by the solution. 
Acceptance of the security posture ofa “Solution” is a Programs function, which is not in 
scope of the present SA. 


Although a release typically pertains to assets ofa single service, a release may also impact 

the security posture of multiple services. In these situations, that release may require more 
than one SA. By the same token, a release may pertain to a single service but affect multiple 
primary assets, in this case it would only require a unique SA. 
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ti 


| 
2.1 ArriveCan V2.4 


This application has a level of assessed risk, for which the target level of acceptable 
residual risk 


THORI 


This Interim Security Authorization provides an interim authority to Operate with an expiry 
date of May 29, 2022, to process information up to and including Protected B service 
delivery information with availability (PBMM) commencing 
immediately following approval of this document. 


1. The actions identified in the Security Management Action Plan (SMAP) document are 
addressed following the timelines identified within the SMAP, and evidence of their 
implementation is provided to Cyber Security’s Risk Assessment and Consultation 
team for re-assessment. 


$ ma 


v2.19, 2.22 


The COVID 19 - Contact tracing desktop application V1 and ArriveCan Versions 1.0, 2.19 
and 2.22 have been granted full Security Authorizations as the vulnerabilities detected in 
those release have now been mitigated and the mitigations have been reviewed and 
assessed. These releases now have a of assessed risk, where the target level of 
acceptable residual risk 


o 


ct tracing desktop appli 


This Security Authorization provides an authority to Operate to process information up to 
and including Protected B service delivery information with Medium Integrity and Medium 
availability (PBMM) commencing immediately following approval of this document. 


Section 3 | AUTHORIZATION PACKAGE - TRACKING BY RELEASE 


3.1 Authorization Package - Summary of Security Risks 


The Authorization Package is the sum of the work products supporting the Security 
Authorization. This will normally include all the SLMF work products pertaining to the 
Primary Assets of the IT-Enabled Service. 


The assessment of security controls for each Service Assets is completed as a distinct work 
product, either as part of a Service Release or a Service Baseline Security Assessments. 


The details of the determination of the Security Risks Level are subject to a distinct Security 
Assessment Report. Only asummary is presented here. 


Asset Last Assessment | Baseline Security Risk Evolution 
Date Assessment Level of Security 
Completed Posture 


PHAC Contact Tracing 2020-04-03 N N/A 
Desktop Application 
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ArriveCan Contact 2021-12-10 
Tracing Mobile App and 
Backend 


Mandatory Random 2021-10-18 E 


Testing (MRT 


BSO Mobile App 2021-11-25 
e ~ Tracking by Rele 


Each Service Assets impacting the security posture of a Service is normally security-assessed 
as part of a Release. The table below provides information as to which version of the SA is 
associated with a specific Release, where it will support the ORR SMC Review. 


Each Service Assets impacting the security posture of a Service is normally security-assessed 
as part of a Release. The table below provides information as to which version of the SA is 


associated with a specific Release, where it will support the ORR SEMC Review. 
| Service Name: | COVID-19 Contract Tracing applications 


Release? Service Asset(s) | Type of security work Security | Resulting 
impacted product completed Impacts | version 
product of SA 
1.8 


ArriveCan ArriveCan Final Security 2021-12-10 ; 
V2.24 Contact Assessment Report 
Tracing (FSAR) Security 
Mobile App Management Action 
and Backend 
ArriveCan ArriveCan FSAR, SMAP 2021-11-29 1.7 
V2.23 Contact 
Tracing 
Mobile App 
and Backend 
App Lite 


R1867 MRT FSAR 2021-10-18 


ArriveCan ArriveCan FSAR, SMAP 2021-10-18 
V2.22 Contact 

Tracing 

Mobile App 

and Backend 


ArriveCan ArriveCan FSAR, SMAP 2021-06-30 
V2.19 PVC Contact 
Tracing 


2 important: Unless otherwise specified, Maintenance Releases {MR are not included in the tracking. Maintenance 
Releases have, by definition, low security impact and are reviewed through a separate process. Where a MR is considered 
to have a potential impact on the security posture of a Service, it may be included here, as an exception, and be subject to a 
Security Authorization. 
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| Service Name: | COVID-19 Contract Tracing applications 


Release? Service Asset(s) | Type of security work Security | Resulting 
impacted product completed Impacts | version 
Rs of SA 
E Lattes 
and Backend 


ArriveCan ArriveCan a! SMAP 2020-07- os 
v2 Contact 

Tracing 

Mobile App 

and Backend 


PHAC Interim Interim Security 2020-04-03 
Desktop Security Authorization (ISA) 
Authorization 


ArriveCan ArriveCan FSAR, SMAP 2020-04-16 1.1 
vi Contact 

Tracing 

Mobile App 

and Backend 
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Framework (SLMF) 
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IGN FISTOR 
This section shows the current revision of this document. 


Security Authorization 

ps | ce 0 mit 
Numbert | Completed completed on 

À 

application V1 

ArriveCan Mobile Application Release 1 
1.2 2020-07-13 | ArriveCan Release 2 2020-07-14 
| Valid 2020-07-14 thru 2021-01-14 pore | 


1.6 2021-11-25 | BSO Mobile Lite 
Ee ee Valid 2021-11-26 thru 2022-11-26 
1.7 2021-11-29 | ArriveCan v2.23 - SAVE 2021-12-03 
ArriveCan v2.24 - Security Uplift 
Valid 2021-12-14 thru 2022-12-14 


2022-03-14 | ArriveCan Backend - V3 
Valid 2022-03-21 thru 2023-03-21 


“important: Any change in the list of the Service Assets listed in section 4.4 is considered a major revision {eg going from 
2.3 to 3.0), while any change in the security rating summary of the same section, without addition or removal of Service 
Assets is considered a minor revision (es. going from 2.3 ta 24) 
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IGNAT 


This SMCM Security Authorization (SA) has been developed and produced in accordance 
with ISTB’s Service Life Cycle Management Framework, Baseline 3. 


Approvals - Security Authorization 


I have completed the review of the key evidence supporting this security authorization, including 
the summary of security risks in Section 2. 


Iam granting/re-granting this information system an Interim Authorization to Operate and, in so 
doing, I accept the security risk to the business associated with running that system within the 
current operational context. 

The security authorization of the information system will remain in effectas long as it satisfies the 
requirement for continuous monitoring or that it is revoked by the authorizers. 

Program Owner: John Ommanney, Director General, Travellers Policy and Programs 


Conditions: Digital Signature /Date 
Digitally signed by HERAGE 


HERAGE ALYSSA ayssa 


Date: 2022.03.18 16:21:56 -04'00' 


Service Owner: Kelly Belanger, Director General, Projects and Service Management 


Conditions: Digital Signature /Date 
Digitally signed by BELANGER 


BELANGER KELLY «iv 


Date: 2022.03.17 07:28:35 -04'00' 


Cloud Competency Center: Antonio Utano, a/Director General, Border Technologies Innovation 
Conditions: Digital Signature /Date 


Digitally signed by TSANG 


TSANG HIENKIEN HiEnken 


Date: 2022.03.16 13:38:46 -04'00' 


CBSA Chief Technology Officer: Daniel Tremblay, Director General, IT Solutions and Operations 


Conditions: Digital Signature /Date __ 
per signed by TREMBLAY DANIEL 


: C=ca, O=gc, OU=ccra-adre, OU=PERSONNEL, 
CN=TREMBLAY DANIEL + 
Si 


ÉRIALNUMBER=2015145231 123057 
Reason: | am the author of this document 


ocation: your signing location here 
Date: 2022-03-19 21:55:53 


: Gino Lechasseur, Director General, Enterprise Collaboration and Digital Services 
Conditions: Digital Signature /Date 


ignature numérique de 


LECHASSEUR GINO LECHASSEUR GINO 


Date : 2022.03.15 18:13:55 -04'00' 


Chief Security Officer: Pierre Lessard, Chief Security Officer and Director General, Security and 
Professional Standards 
Conditions: Digital Signature /Date 
Digitally signed by FORTIER STEVE 
Approving as A/DG & CSO FO RT | E R ONSFORTIER STEVE + SERJALNUMBER=2008026032852512 


eason: | am approving this document 
io 


Ri 

Location: Ottawa, Ontari 

Date: 2022-03-18 14:48:53 

Foxit PhantomPDF Version: 10.0.1 
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tion 1 | 
The Security Authorization (SA) document conveysthe final security authorization decision 
from the authorizing officials to grant an “Authorization to Operate - ATO” and, in so doing, 


accepts the risk to the business associated with running that system within the current 
operational context. 


The explicit acceptance of risk is the responsibility of the authorizing officials and cannot be 
delegated to other officials within the organization. For all SA, the authorizing officials 
include, as a minimum: 
I. The IT-Enabled Service Business Owner 
I]. The IT-Enabled Service Owner 
III]. The Departmental Security Officer 


The authorizer may issue an ATO, with or without conditions, or issue a denial of 
Authorization to Operate. The decision will be based on several factors, most importantly the 
acceptability of the residual risks and the nature of outstanding security deficiencies. 
Balancing security considerations with mission and operational needs is paramount to 
achieving an acceptable authorization decision. 


Authorization is a state that an information system is in during the operations and 
maintenance phase of its lifecycle. It is not a condition that expires after a period of time and 
that needs to be renewed. The SA is an ongoing process. Once in operation, an information 
system is subjected to continuous security monitoring and assessment by the responsible IT 
security group. 


The terms and conditions forthe authorization provide a description of any specific 
limitations or restrictions placed on the operation of the information system or inherited 
controls that must be followed by the system owner or common control provider. 


The SLMF has established the concept of “IT-Enabled Services” as the unit of management of 
service assets such as software applications. The decision to grant a SA is also performed at 
the IT-Enabled Service level. 


The security posture a service is the sum of the security risks of its primary assets. 


Important: The SA does not pertain to a “Solution”, which typically integrates multiple IT- 
Enabled Services. Each Service must have its own SA. The security posture of a “Solution” is 
the sum of the security posture for all the services that are integrated by the solution. 
Acceptance of the security posture ofa “Solution” is a Programs function, which is not in 
scope of the present SA. 


Although a release typically pertains to assets ofa single service, a release may also impact 
the security posture of multiple services. In these situations, that release may require more 
than one SA. By the same token, a release may pertain to a single service but affect multiple 
primary assets, in this case it would only require a unique SA. 
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2.1 ÂrriveCan 


This application has a level of assessed risk, for which the target level of acceptable 
residual risk 


This Interim Security Authorization provides an interim authority to Operate with an expiry 
date of March 21, 2023, to process information up to and including Protected B service 
delivery information with availability (PBMM) commencing 
immediately following approval of this document. 


1. The actions identified in the Security Management Action Plan (SMAP) document are 
addressed following the timelines identified within the SMAP, and evidence of their 
implementation is provided to Cyber Security’s Risk Assessment and Consultation 
team for re-assessment. 


rization Package - $ 


The Authorization Package is the sum of the work products supporting the Security 
Authorization. This will normally include all the SLMF work products pertaining to the 
Primary Assets of the IT-Enabled Service. 


The assessment of security controls for each Service Assets is completed as a distinct work 
product, either as part of a Service Release or a Service Baseline Security Assessments. 


The details of the determination of the Security Risks Level are subject to a distinct Security 
Assessment Report. Only asummary is presented here. 


Baseline Security Risk Evolution 
Assessment Level of Security 
Completed Posture 


PHAC Contact Tracing N/A 
Desktop Application 


ArriveCan Contact 


Tracing Mobile App and 
Backend 


Mandatory Random 
Testing (MRT 


BSO Mobile App 2021-11-25 
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ces 


Tracking by Re 


Each Service Assets impacting the security posture of a Service is normally security-assessed 
as part of a Release. The table below provides information as to which version of the SA is 
associated with a specific Release, where it will support the ORR SMC Review. 


Each Service Assets impacting the security posture of a Service is normally security-assessed 
as part of a Release. The table below provides information as to which version of the SA is 
associated with a specific Release, where it will support the ORR SEMC Review. 

| Service Name: | COVID-19 Contract Tracing applications 


Release? Service Asset(s) | Type ofsecurity work Security Resulting 
impacted product completed pes Via version 
product of SA 


ArriveCan ArriveCan Final Security 2022-03- oa 
V3 Backend | Backend Assessment Report 
(FSAR) Security 
tales ae Action 
ArriveCan ArriveCan man T 2021-12-10 
V2.24 Contact 
Tracing 
Mobile App 
and Backend 
ArriveCan ArriveCan FSAR, SMAP 2021-11-29 
V2.23 Contact 
Tracing 
Mobile App 
and Backend 


BSO Mobile | BSO Pee | FSAR, SMAP 2021-11-25 
App Lite 


R1867 MRT none FSAR 2021-10-18 


ArriveCan ArriveCan FSAR, SMAP 2021-10-18 
V2.22 Contact 

Tracing 

Mobile App 

and Backend 
ArriveCan ArriveCan FSAR, SMAP 2021-06-30 
V2.19 PVC Contact 

Tracing 

Mobile App 

and Backend 


3 important: Unless otherwise specified, Maintenance Releases {MR are not included in the tracking. Maintenance 
Releases have, by definition, low security impact and are reviewed through a separate process. Where a ME is considered 
to have a potential impact on the security posture of a Service, it may be included here, as an exception, and be subject to a 
Security Authorization. 
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COVID-19 Contract Tracing applications 


Release? Service Asset(s) | Type ofsecurity work Security | Resulting 
impacted product completed Impacts | version 
product of SA 


ArriveCan ArriveCan FSAR, SMAP 2020-07-13 
v2 Contact 

Tracing 

Mobile App 

and Backend 


ArriveCan ArriveCan FSAR, SMAP 2020-04-16 
vi Contact 

Tracing 

Mobile App 

and Backend 


PHAC Interim Interim Security 2020-04-03 
Desktop Security Authorization (ISA) 
Authorization 


1.2 
1.1 
1.0 
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CANADA BORDER SERVICES AGENCY 
INFORMATION, SCIENCE AND TECHNOLOGY 
BRANCH 


Service Life Cycle Management 
Framework (SLMF) 
Baseline 3 


Security Management Control 
Method (SMCM) 


Interim Security 
Authorization (ISA) 
for 

COVID-19 CONTACT TRACING 
VALI 
20: 


VERSION: 1.10 
DATE: 2022-06-28 


n Act 
l'inf 


formation 
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ION HISTOR 


This section shows the current revision of this document. 


Security Authorization 
Version Date Final sign-off 
Number! | Completed completed on 
1.0 2020-04-03 | COVID 19 - Contact tracing desktop 
application V1 
2020-04-16 | ArriveCan Mobile Application Release 1 2020-06-16 
1.2 2020-07-13 | ArriveCan Release 2 2020-07-14 
Valid 2020-07-14thru 2021-01-14 
2021-06-30 | ArriveCan v2.19 - Proof of Vaccine 2021-07-04 


2021-10-18 | ArriveCan v2.22 - BSO 2021-11-03 
2021-10-27 | R1867 - Mandatory Random Testing (MRT) | 2021-11-08 


Valid 2021-11-26 thru 2022-11-26 

ArriveCan v2.23 - SAVE 
Valid 2021-11-29 thru 2022-05-29 

ArriveCan v2.24 - Security Uplift 
Valid 2021-12-14 thru 2022-12-14 

ArriveCan Backend - V3 
Valid 2022-03-21 thru 2023-03-21 
Valid 2022-06-28 thru 2023-06-28 


“important: Any change in the list of the Service Assets listed in section 4.4 is considered a major revision {eg going from 
2.3 to 3.0), while any change in the security rating summary of the same section, without addition or removal of Service 
Assets is considered a minor revision (es. going from 2.3 ta 24) 
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IGNATURE PA 


This SMCM Security Authorization (SA) has been developed and produced in accordance 
with ISTB’s Service Life Cycle Management Framework, Baseline 3. 


Approvals - Security Authorization 


Ihave completed the review of the key evidence supporting this security authorization, including 
the summary of security risks in Section 2. 


Iam granting/re-granting this information system an Interim Authorization to Operate and, in so 
doing, I accept the security risk to the business associated with running that system within the 
current operational context. 

The security authorization of the information system will remain in effectas long as it satisfies the 
requirement for continuous monitoring or that it is revoked by the authorizers. 


Program Owner: John Ommanney, Director General, Travellers Policy and Programs 


Conditions: Digital Signature /Date 
Digitally signed by HERAGE 


HERAGE ALYSSA ayssa 


Date: 2022.06.28 13:12:52 -04'00' 


Service Owner: Kelly Belanger, Director General, Projects and Service Management 


Conditions: Digital Signature /Date 
Digitally signed by BELANGER 


BELANGER KELLY «ety 


Date: 2022.06.27 12:42:34 -04'00' 


Cloud Competency Center: Antonio Utano, a/Director General, Border Technologies Innovation 


Conditions: Digital Signature /Date 
Digitally signed by UTANO 


UTANO ANTONIO antonio 


Date: 2022.06.27 08:48:45 -04'00' 


CBSA Chief Technology Officer: Dave Beach, a/Director General, IT Solutions and Operations 


Conditions: Digital Signature /Date 
Digitally signed by BEACH DAVE 


B EAC H DAV Date: 2022.07.01 16:22:36 


-04'00 


: Gino Lechasseur, Director General, Enterprise Collaboration and Digital Services 


Conditions: Digital Signature /Date 
Signature numérique de 


LECHASSEUR GINO LecHasseur GINO 


Date : 2022.06.24 16:17:11 -04'00" 


Chief Security Officer: Pierre Lessard, Chief Security Officer and Director General, Security and 
Professional Standards 
Conditions: Digital Signature /Date 


LESSARD PIERRE Sutytreshsst ret 
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tion 1 | 
The Security Authorization (SA) document conveysthe final security authorization decision 
from the authorizing officials to grant an “Authorization to Operate - ATO” and, in so doing, 


accepts the risk to the business associated with running that system within the current 
operational context. 


The explicit acceptance of risk is the responsibility of the authorizing officials and cannot be 
delegated to other officials within the organization. For all SA, the authorizing officials 
include, as a minimum: 
I. The IT-Enabled Service Business Owner 
I]. The IT-Enabled Service Owner 
III]. The Departmental Security Officer 


The authorizer may issue an ATO, with or without conditions, or issue a denial of 
Authorization to Operate. The decision will be based on several factors, most importantly the 
acceptability of the residual risks and the nature of outstanding security deficiencies. 
Balancing security considerations with mission and operational needs is paramount to 
achieving an acceptable authorization decision. 


Authorization is a state that an information system is in during the operations and 
maintenance phase of its lifecycle. It is not a condition that expires after a period of time and 
that needs to be renewed. The SA is an ongoing process. Once in operation, an information 
system is subjected to continuous security monitoring and assessment by the responsible IT 
security group. 


The terms and conditions forthe authorization provide a description of any specific 
limitations or restrictions placed on the operation of the information system or inherited 
controls that must be followed by the system owner or common control provider. 


The SLMF has established the concept of “IT-Enabled Services” as the unit of management of 
service assets such as software applications. The decision to grant a SA is also performed at 
the IT-Enabled Service level. 


The security posture a service is the sum of the security risks of its primary assets. 


Important: The SA does not pertain to a “Solution”, which typically integrates multiple IT- 
Enabled Services. Each Service must have its own SA. The security posture of a “Solution” is 
the sum of the security posture for all the services that are integrated by the solution. 
Acceptance of the security posture ofa “Solution” is a Programs function, which is not in 
scope of the present SA. 


Although a release typically pertains to assets ofa single service, a release may also impact 
the security posture of multiple services. In these situations, that release may require more 
than one SA. By the same token, a release may pertain to a single service but affect multiple 
primary assets, in this case it would only require a unique SA. 
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ti 


THORIZATI 


| 
2.1 ArriveCan V3 


This application has a level of assessed risk, for which the target level of acceptable 
residual risk 


This Interim Security Authorization provides an interim authority to Operate with an expiry 
date of June 28, 2023, to process information up to and including Protected B service 
delivery information with availability (PBMM) commencing 
immediately following approval of this document. 


1. The actions identified in the Security Management Action Plan (SMAP) document are 
addressed following the timelines identified within the SMAP, and evidence of their 
implementation is provided to Cyber Security’s Risk Assessment and Consultation 
team for re-assessment. 


rization Package - $ 


The Authorization Package is the sum of the work products supporting the Security 
Authorization. This will normally include all the SLMF work products pertaining to the 
Primary Assets of the IT-Enabled Service. 


The assessment of security controls for each Service Assets is completed as a distinct work 
product, either as part of a Service Release or a Service Baseline Security Assessments. 


The details of the determination of the Security Risks Level are subject to a distinct Security 
Assessment Report. Only asummary is presented here. 


Baseline Evolution 
Assessment of Security 
Completed Posture 


PHAC Contact Tracing 
Desktop Application 


ArriveCan Contact 


Tracing Mobile App and 
Backend 


Mandatory Random 
Testing (MRT 
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Tracking by Re 


Each Service Assets impacting the security posture of a Service is normally security-assessed 
as part of a Release. The table below provides information as to which version of the SA is 
associated with a specific Release, where it will support the ORR SMC Review. 


Each Service Assets impacting the security posture of a Service is normally security-assessed 
as part of a Release. The table below provides information as to which version of the SA is 
associated with a specific Release, where it will support the ORR SEMC Review. 

| Service Name: | COVID-19 Contract Tracing applications 


Releases Service Asset(s) | Type ofsecurity work Security Resulting 
impacted product completed pe ju version 
product of SA 


ArriveCan ArriveCan Final Security 2022-06- aa 
V3 Assessment Report 
(FSAR) Security 
Management Action 
Plan (SMAP 
V3 Backend | Backend 
ArriveCan ArriveCan FSAR, SMAP 2021-12-10 
V2.24 Contact 
Tracing 
Mobile App 
and Backend 


ArriveCan ArriveCan FSAR, SMAP 2021-11-29 
V2.23 Contact 

Tracing 

Mobile App 

and Backend 


BSO Mobile | BSO Mobile FSAR, SMAP 2021-11-25 
App Lite 


R1867 MRT FSAR 2021-10-18 


ArriveCan ArriveCan FSAR, SMAP 2021-10-18 
V2.22 Contact 

Tracing 

Mobile App 

and Backend 


ArriveCan ArriveCan FSAR, SMAP 2021-06-30 
V2.19 PVC Contact 
Tracing 


a 


3 important: Unless otherwise specified, Maintenance Releases {MR are not included in the tracking. Maintenance 
Releases have, by definition, low security impact and are reviewed through a separate process. Where a ME is considered 
to have a potential impact on the security posture of a Service, it may be included here, as an exception, and be subject to a 
Security Authorization. 
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| Service Name: | COVID-19 Contract Tracing applications 


Release: Service Asset(s) | Type ofsecurity work Security | Resulting 
impacted product completed Impacts | version 
Dan of SA 
E Lattes 
and Backend 


ArriveCan ArriveCan et SMAP 2020-07- un 
v2 Contact 

Tracing 

Mobile App 

and Backend 


PHAC Interim Interim Security 2020-04-03 
Desktop Security Authorization (ISA) 
Authorization 


ArriveCan ArriveCan FSAR, SMAP 2020-04-16 1.1 
vi Contact 

Tracing 

Mobile App 

and Backend 
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4 
This section shows the current revision of this document. 


Security Authorization 
Version Date Final sign-off 
Number? | Completed ue on 
1.0 2020-04-03 | COVID 19 - Contact tracing desktop 
application V1 


2020-04-16 | ArriveCan Mobile Application Release 1 es 06-16 


1.2 2020-07-13 | ArriveCan Release 2 2020-07-14 
Valid 2020-07-14 thru 2021-01-14 


2021-06-30 | ArriveCan v2.19 - Proof of Vaccine 2021-07-04 
2021-10-18 | ArriveCan v2.22 - BSO 2021-11-03 
2021-10-27 | R1867 - Mandatory Random Testing (MRT) | 2021-11-08 


BSO Mobile Lite 
uae 2021-11-26 thru 2022-11-26 
lee = OO ll 
Valid 2021- 11 -29 thru 2022-05-29 
2021-12-10 | ArriveCan v2.24 - Security Uplift 2021-12-15 
Valid 2021-12-14 thru 2022-12-14 


ArriveCan Backend - V3 
Valid 2022-03-21 thru 2023-03-21 
Valid 2022-06-28 thru 2023-06-28 


2022-08-02 | R2094 - Mandatory Random Testing (MRT) | |. 


1 important / sin the list of the Service Assets Hsted in section 4.1 isc E re £ a major revision te g going from 
2,3 ta 3.0), y in the security rati 8 summary of the same section, without addition or removal of Service 
Assets is considered a minor revision (eg. going from 2.3 to 2.4) 
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IGNATUR 


This SMCM Security Authorization (SA) has been developed and produced in accordance 
with ISTB’s Service Life Cycle Management Framework, Baseline 3. 


Approvals - Security Authorization 


I have completed the review of the key evidence supporting this security authorization, including 
the summary of security risks in Section 2. 


Iam granting/re-granting this information system an Interim Authorization to Operate and, in so 
doing, I accept the security risk to the business associated with running that system within the 
current operational context. 

The security authorization of the information system will remain in effect as long as it satisfies the 
requirement for continuous monitoring or that it is revoked by the authorizers. 


Program Owner: Mary Teresa Glynn, a/Director, COVID - 19 Border Task Force 
Conditions: Digital Signature /Date 


Service Owner: Carol Sabourin, Executive Director, Project and Service Management Oversight 


Conditions: Digital Signature /Date 
ed by SABOURIN CAROL 


Digitally sign 
DN: C=ca, O=ge, OU=ccra-adre, OU=PERSONNEL, 
CN=SABOURIN CAROL + 
SERIALNUMBER =2018 194083752084 

‘Reason: | am the author of this document 


4zoeatton: your signing location here 
Date: 2022-08-05 13:36:46 
oxit PhantomPDF Version: 10.0 


Cloud Competency Center: Bruce Mchaffie, a/Director General, Cloud Competency Centre 
Conditions: Digital Signature /Date 


MCHAFFIE BRUCE bite 20220802 164809 0400 - 


CBSA Chief Technology Officer: Herve Madelaine, a/Executive Director, IT Operations 
Conditions: Digital Signature /Date 


Cyber Security: Steven Proulx, Director, Cyber Security and IT Continui 


Conditions: Digital Signature /Date 
Digitally signed by HARGRAVE 


acting fof Steven HARGRAVE CAROLE carote 


Date: 2022.08.02 11:58:55 -04'00' 


Chief Security Officer: Lindsay Reeves, Director, Infrastructure and Information Securi 
Conditions: Digital Signature /Date 
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The Security Authorization (SA) document conveys the final security authorization decision 
from the authorizing officials to grant an “Authorization to Operate - ATO” and, in so doing, 
accepts the risk to the business associated with running that system within the current 
operational context. 


ON (SA) CONTENT 


The explicit acceptance of risk is the responsibility of the authorizing officials and cannot be 
delegated to other officials within the organization. For all SA, the authorizing officials 
include, as a minimum: 


I. The IT-Enabled Service Business Owner 
Il. The IT-Enabled Service Owner 
III. The Departmental Security Officer 


The authorizer may issue an ATO, with or without conditions, or issue a denial of 
Authorization to Operate. The decision will be based on several factors, most importantly the 
acceptability of the residual risks and the nature of outstanding security deficiencies. 
Balancing security considerations with mission and operational needs is paramount to 
achieving an acceptable authorization decision. 


Authorization is a state that an information system is in during the operations and 
maintenance phase of its lifecycle. It is not a condition that expires after a period of time and 
that needs to be renewed. The SA is an ongoing process. Once in operation, an information 
system is subjected to continuous security monitoring and assessment by the responsible IT 
security group. 


The terms and conditions for the authorization provide a description of any specific 
limitations or restrictions placed on the operation of the information system or inherited 
controls that must be followed by the system owner or common control provider. 


1 § it horization in the context of F 


The SLMF has established the concept of “IT-Enabled Services” as the unit of management of 
service assets such as software applications. The decision to grant a SA is also performed at 
the IT-Enabled Service level. 


The security posture a service is the sum of the security risks of its primary assets. 


Important: The SA does not pertain to a “Solution”, which typically integrates multiple IT- 
Enabled Services. Each Service must have its own SA. The security posture of a “Solution” is 
the sum of the security posture for all the services that are integrated by the solution. 
Acceptance of the security posture of a “Solution” is a Programs function, which is not in 
scope of the present SA. 


Although a release typically pertains to assets of a single service, a release may also impact 
the security posture of multiple services. In these situations, that release may require more 
than one SA. By the same token, a release may pertain to a single service but affect multiple 
primary assets, in this case it would only require a unique SA. 
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ndatory m Testing (IMRT) 1.5 release ( 


This application has a level of assessed risk, for which the target level of acceptable 
residual risk is 


This Security Authorization provides an authority to Operate, to process information up to 
and including Protected B service delivery information with 

availability (PBMM) commencing immediately following approval of this document. | 
Authorization Package - Tracking by Release 

2.2 Authorization Package - Summary of Security Risks 


The Authorization Package is the sum of the work products supporting the Security 
Authorization. This will normally include all the SLMF work products pertaining to the 
Primary Assets of the IT-Enabled Service. 


The assessment of security controls for each Service Assets is completed as a distinct work 
product, either as part of a Service Release or a Service Baseline Security Assessments. 


The details of the determination of the Security Risks Level are subject to a distinct Security 
Assessment Report. Only a summary is presented here. 


Asset Last Assessment | Baseline Security Risk Evolution 

Date Assessment Level of Security 
ne leted LE 

PHAC Contact Tracing || 04-03 

Desktop Application 

ArriveCan Contact cn 06-23 

Tracing Mobile App and 

Backend 

Mandatory Random 2022-07-25 

Testing (MRT 

BSO Mobile App 2021-11-25 


- Tracking by Rel 


Each Service Assets impacting the security posture of a Service is normally security-assessed 
as part of a Release. The table below provides information as to which version of the SA is 
associated with a specific Release, where it will support the ORR SMC Review. 


Each Service Assets impacting the security posture of a Service is normally security-assessed 


as part of a Release. The table below provides information as to which version of the SA is 
associated with a specific Release, where it will support the ORR SEMC Review. 
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Service Name: | COVID-19 Contract Tracing applications 


Service Asset(s) | Type of security work Security Resulting 
impacted product completed Impacts version 
product of SA 


R2094 MRT 
ArriveCan ArriveCan Final Security 2022-06-14 : 
V3 Assessment Report 
(FSAR) Security 
Management Action 
Plan (SMAP) 
ArriveCan | ArriveCan FSAR, SMAP . 
V3 Backend | Backend 
ArriveCan ArriveCan FSAR, SMAP 2021-12-10 ; 
V2.24 Contact 
Tracing 
Mobile App 
and Backend 
ArriveCan ArriveCan FSAR, SMAP 2021-11-29 : 
V2.23 Contact 

Tracing 

Mobile App 

and Backend 


BSO Mobile | BSO Mobile FSAR, SMAP 2021-11-25 
App Lite 


R1867 MRT FSAR 2021-10-18 


ArriveCan ArriveCan FSAR, SMAP 2021-10-18 
V2.22 Contact 

Tracing 

Mobile App 

and Backend 
ArriveCan ArriveCan FSAR, SMAP 2021-06-30 
V2.19 PVC Contact 

Tracing 

Mobile App 

and Backend 
ArriveCan ArriveCan FSAR, SMAP 2020-07-13 
v2 Contact 

Tracing 

Mobile App 

and Backend 


3 important: Unless otherwise specified, Maintenance Releases (MR) are not included in the tracking, Maintenance 
Releases have, by definition, low security impact and are reviewed through a separate process. Where a MR is considered 
to have a potential impact on the security posture of a Service, it may be included here, as an exception, and be subject toa 
Security Authorization. 
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Service Name: 
Release? 


ArriveCan 


Desktop 


COVID-19 Contract Tracing applications 


Service Asset(s) | Type of security work Security Resulting 
impacted product completed Impacts version 
product of SA 


1.1 
0 


Interim Interim Security 2020-04-03 
Security Authorization (ISA) 
Authorization 


1 


ArriveCan FSAR, SMAP 2020-04-16 
Contact 

Tracing 

Mobile App 

and Backend 
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VERSION: 1.6 
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l'inf 
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SION ASTOR 
This section shows the current revision of this document. 


Security Authorization 
Version Date Final sign-off 
Numbert | Completed completed on 
1.0 2020-04-03 | COVID 19 - Contact tracking desktop 

application Valid 2020-04-03 thru 2020-10-03 
1.1 2020-04-16 | ArriveCan Mobile Application Release 1 

Valid 2020-04-17 thru 2020-10-17 
1.2 2020-07-13 | ArriveCan Release 2 

Valid 2020-07-14 thru 2021-01-14 


ArriveCan v2.19 - Proof of Vaccine 
Valid 2021-07-05 thru 2022-07-05 
ArriveCan v2.22 - BSO 
Valid 2021-10-18 thru 2022-10-18 
En 


1.5 2021-10-27 | R1867 - Mandatory Random Testing (MRT) 2021-11-08 
6 


1. 2021-11-25 | BSO Mobile Lite 
Valid 2021-11-26 thru 2022-11-26 


“important: Any change in the list of the Service Assets listed in section 44 is considered a major revision {eg going from 
2.3 to 3.0), while any change in the security rating summary of the same section, without addition or removal of Service 
Assets is considered a minor revision (es. going from 2.3 ta 24) 
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IGNAT À 


This SMCM Security Authorization (SA) has been developed and produced in accordance 
with ISTB’s Service Life Cycle Management Framework, Baseline 3. 


Approvals - Security Authorization 


I have completed the review of the key evidence supporting this security authorization, 
including the summary of security risks in Section 2. 


I am granting/re-granting this information system an Interim Authorization to Operate and, in 
so doing, I accept the security risk to the business associated with running that system within 
the current operational context. 

The security authorization of the information system will remain in effectas long as it satisfies 
the requirement for continuous monitoring or that it is revoked by the authorizers. 


Program Owner: Calvin Christiansen, Director General, COVID-19 Border Task Force 


Conditions: Digital Signature /Date —— | 
Digitally signed by Sharon Spicer 


S h a ro n DN: CN=Sharon Spicer, 
E=sharon.spicer@cbsa-asfc.gc.ca 
Reason: | am approving this document 
Location: your signing location here 


S pl cer Date: 2021-12-16 22:03:13 
Foxit PhantomPDF Version: 10.0.1 
Service Owner: Antonio Utano, a/Director General, Border Technologies Innovation 


Conditions: Digital Signature /Date 
Digitally signed by LAUZON 


LAUZO N STEV ere 11.25 18:49:02 


-05'00' 


CBSA Chief Technology Officer: Daniel Tremblay, Director General, IT Solutions and 
Operations 


|| understand and acknowledge that the Agency has Digital Signature /Date 
idetermined the business benefit represented by this TR E M B L AY Caca, O=gc, OU=ccra-adre, 
service significant enough to warrant the issuance of a QU=PERSONNEL, CN=TREMBLAY DANIEL + 


Digitally signed by TREMBLAY DANIEL 


M ets A i El UMBER=2015145231123057 
time-limited SA pending the more comprehensive | am the author of this document 


implementation of mitigations and safeguards, and | will D A N | E L Location: your signing location here 
collaborate with other stakeholders within the Agency's Geet PlianiamPDF Version: 10.0.1 


prioritization framework to accomplish that. z | nu 
-eyr 6 UE MISTU General, Enterprise Collaboration and Digital 
Services 


Conditions: Digital Signature /Date 
Signature numérique de 
LECHASSEUR  tecuasseur cino 
Date : 2021.11.25 17:07:06 
GINO bate 


Chief Security Officer: Pierre Lessard, CSO and Director General, Security and Professional 
Standards 


Conditions: Digital Signature /Date 


Digitally signed by LESSARD 


LESSARD PIERRE Perre 


Date: 2021.11.26 09:20:27 -05'00' 
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The Security Authorization (SA) document conveys the final security authorization decision 
from the authorizing officials to grant an “Authorization to Operate - ATO” and, in so doing, 


accepts the risk to the business associated with running that system within the current 
operational context. 


The explicit acceptance of risk is the responsibility of the authorizing officials and cannot be 
delegated to other officials within the organization. For all SA, the authorizing officials 
include, as a minimum: 
I. The IT-Enabled Service Business Owner 
I]. The IT-Enabled Service Owner 
III]. The Departmental Security Officer 


The authorizer may issue an ATO, with or without conditions, or issue a denial of 
Authorization to Operate. The decision will be based on several factors, most importantly the 
acceptability of the residual risks and the nature of outstanding security deficiencies. 
Balancing security considerations with mission and operational needs is paramount to 
achieving an acceptable authorization decision. 


Authorization is a state that an information system is in during the operations and 
maintenance phase of its lifecycle. It is not a condition that expires after a period of time and 
that needs to be renewed. The SA is an ongoing process. Once in operation, an information 
system is subjected to continuous security monitoring and assessment bythe responsible IT 
security group. 


The terms and conditions forthe authorization provide a description of any specific 
limitations or restrictions placed on the operation of the information system or inherited 
controls that must be followed by the system owner or common control provider. 


The SLMF has established the concept of “IT-Enabled Services” as the unit of management of 
service assets such as software applications. The decision to grant a SA is also performed at 
the IT-Enabled Service level. 


The security posture a service is the sum of the security risks of its primary assets. 


Important: The SA does not pertain to a “Solution”, which typically integrates multiple IT- 
Enabled Services. Each Service must have its own SA. The security posture of a “Solution” is 
the sum of the security posture for all the services that are integrated by the solution. 
Acceptance of the security posture ofa “Solution” is a Programs function, which is not in 
scope of the present SA. 


Although a release typically pertains to assets ofa single service, a release may also impact 
the security posture of multiple services. In these situations, that release may require more 
than one SA. By the same token, a release may pertain to a single service but affect multiple 
primary assets, in this case it would only require a unique SA. 
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This application has a level of assessed risk, for which the target level of acceptable 
residual risk 


This Interim Security Authorization provides an interim authority to Operate with an expiry 
date of November 26, 2022, to process information up to and including Unclassified service 
delivery information with availability commencing 
immediately following approval of this document. 


1. The actions identified in the Security Management Action Plan (SMAP) document are 
addressed following the timelines identified within the SMAP, and evidence of their 
implementation is provided to Cyber Security’s Risk Assessment and Consultation 
team for re-assessment. 


rization Package - $ 


The Authorization Package is the sum of the work products supporting the Security 
Authorization. This will normally include all the SLMF work products pertaining to the 
Primary Assets of the IT-Enabled Service. 


The assessment of security controls for each Service Assets is completed as a distinct work 
product, either as part of a Service Release or a Service Baseline Security Assessments. 


The details of the determination of the Security Risks Level are subject to a distinct Security 
Assessment Report. Only asummary is presented here. 


Baseline Security Risk Evolution 
Assessment Level of Security 
Completed Posture 


PHAC Contact Tracking N/A 
Desktop Application 


ArriveCan Contact Improved 
Tracking Mobile App 
and Backend 


Mandatory Random N/A 


Testing (MRT 


.2 Authorization Package - Tracking by Releases 


Each Service Assets impacting the security posture of a Service is normally security-assessed 
as part of a Release. The table below provides information as to which version of the SA is 
associated with a specific Release, where it will support the ORR SMC Review. 
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Each Service Assets impacting the security posture of a Service is normally security-assessed 
as part of a Release. The table below provides information as to which version of the SA is 
associated with a specific Release, where it will support the ORR SEMC Review. 

COVID-19 Contract Tracking applications 


Release? Service Asset(s) | Type ofsecurity work Security | Resulting 
impacted product completed Impacts | version 
product of SA 


BSO Mobile | BSO Mobile Final Security 2021-11-25 ; 
App Lite Assessment Report 
(FSAR) Security 
Management Action 
Plan (SMAP 
ArriveCan ArriveCan FSAR, SMAP 2021-10-18 . 
V2.22 Contact 
Tracking 
Mobile App 
and Backend 


ArriveCan ArriveCan FSAR, SMAP 2021-06-30 
V2.19 PVC Contact 

Tracking 

Mobile App 

and Backend 
ArriveCan ArriveCan FSAR, SMAP 2020-07-13 
v2 Contact 

Tracking 

Mobile App 

and Backend 
ArriveCan ArriveCan FSAR, SMAP 2020-04-16 
vi Contact 

Tracking 

Mobile App 

and Backend 


PHAC Interim Interim Security 2020-04-03 
Desktop Security Authorization (ISA) 
Authorization 


2 important: Unless otherwise specified, Maintenance Releases {MR are not included in the tracking. Maintenance 
Releases have, by definition, low security impact and are reviewed through a separate process. Where a MR is considered 
to have a potential impact on the security posture of a Service, it may be included here, as an exception, and be subject to a 
Security Authorization. 
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